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[57] ABSTRACT 

A controller of a control system, which operates as a 
master, has a slave input/output processor (IOP) con- 
nected thereto which communicates with at least one 
device of a predetermined type, and a backup slave IOP 
connected thereto of the same type as the slave IOP, the 
slave IOP operating as a primary IOP to the device. A 
method for providing backup to the slave IOP by the 
backup slave IOP comprises the steps of loading the 
backup slave IOP with the same data base as the slave 
IOP. The backup slave IOP eavesdrops on all commu- 
nications from the controller to the slave IOP. When a 
write command is communicated to the slave IOP, the 
backup slave IOP taps the data from the bus and up- 
dates its data base. If the command is not a write com*., 
mand, ignores the communication. When a fault is de- 
tected by either the slave IOP or the backup slave IOP, 
the detection of the fault is communicated to the other 
IOP. The IOPs then failover such that the backup IOP 
is operatively connected to the device and the slave 
IOP is disconnected from the device. Finally, the con- 
troller acknowledges that the backup slave IOP is now 
operating as the primary source to the device. 

10 Claims, 6 Drawing Sheets 
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UNIVERSAL SCHEME OF INPUT/OUTPUT SUMMARY OF THE INVENTION 

REDUNDANCY IN A PROCESS CONTROL Therefore, there is provided by the present invention, 

SYSTEM a method for providing a redundancy scheme for slave 

3 processors. A control system includes a control net- 

RELATED PATENT APPLICATIONS work for controlling a process and interfaces with a 

The present application is related to U.S. patent appli- controller. The controller, which operates as a master, 

cation, Ser. No. 07/588,387, entitled "Fault Detection a slave ^put/output processor (IOP) connected 
in Relay Drive Circuits", by K. T. Kummer et al., filed 10 ^ mi0 which communicates with at least one device of 

on even date herewith, and assigned to Honeywell Inc., * P redetennined ^ t W cs including analog input, 

the assignee of the present application. "a" 10 * 0Ut P ut » input, and digital output. The 

controller also has a backup slave IOP connected 
BACKGROUND OF THE INVENTION thereto of the same type as the slave IOP. The slave 
This invention relates to a method for implementing 15 I0P » °peratively connected to the device and operates 
redundancy, and more particularly, to a method for as a primary IOP to the device. A method for providing 
implementing 1:1 I/O redundancy of a slave processor. backup to the slave IOP by the backup slave IOP corn- 
Process Control Systems with backup process con- P"^ slc ps of loading the backup slave IOP with 
trollers such as described and claimed in U.S. Pat. No. toe same data base as the slave IOP. The backup slave 
4,133,027, issued to J. A. Hogan on Jan. 2, 1979, and U.S 20 IOP eavesdrops on all communications from the con- 
Pat No. 4,141,066, issued to Y. Keiles on Feb. 20, 1979, Roller to the slave IOP. When a write command is 
include. a backup controUer.having a dedicated Random. conmiunicated to the slave. IOP, the backup slave IOP 
Access Memory (RAM) and a dedicated Read-Only ^P* toe d*t& from the 'bus and updates its data base 
Memory (ROM). The back-up controller is essentially thereby insuring the data base of the backup slave IOP 
idle or can be doing some background tasks, but not 25 k toe as the slave IOP. If the command is not a 
tasks relating directly to the process control function. write command, the backup slave IOP ignores the com- 
Upon detection of a failure of one of the primary pro- munication. When a fault is detected by either the slave 
cess controllers, the data stored in the RAM of the IOP or the backup slave IOP, the detection of the feult 
failed controller must be transferred to the RAM of the is communicated to the other IOP. The IOPs then fai- 
backup controller to perform the operations of the pri- lover such that the backup slave IOP is operatively 
mary controller. These systems describe a 1:N redun- connected to the device and the slave IOP is discon- 
dancy system. nected from the device. Finally, the controller ac- 
Existing systems, such as that described in U.S. patent knowledges that the backup slave IOP has become the 
application, Ser. No. 07/299,859, filed on Jan. 23, 1989, 35 primary source to the device. The switching of the 
and assigned to Honeywell Inc., the assignee of the primary IOP from the slave IOP to the backup slave 
present application, now U.S. Pat. No. 4,958,270, pro- IOP occurs without any loss of communications within 
vide for a 1:1 redundancy system, whereby the data the control system and is transparent to the control 
base of a secondary device (i.e., secondary or backup system as well as any other interrogating device, 
controller) is updated periodically such that the updat- 40 Accordingly, it is an object of the present invention 
tng process is transparent to the primary functions and to provide a method for implementing 1:1 redundancy 
does not tie-up (or penalize) CPU or processor perfor- for any type of slave processor in a master-slave rela- 
mance and utilizes a minimum amount of time. When a tionship. 

failover condition occurs, there is a period of time when It is another object of the present invention to pro- 
no communications can take place (i.e., an outage) be- 45 vide a method for implementing 1:1 redundancy which 
tween the primary controller and the remainder of the can accommodate any number and any mix of slave 
system. Further, the primary and secondary controllers processors. 

are in a predefined location, and the software utilized It is still another object of the present invention to 

for implementing this redundancy feature (i.e., redun- provide a method for implementing 1:1 redundancy in 

dancy software) is not transparent to other layers of 50 which physical location between the slave processor 

software above the redundancy software. For example, and the corresponding backup slave processor is select- 

if a Universal Station of a plant control network were to able. 

interrogate a controller (Le., a primary controller since It is yet' another object of the present invention to 

the secondary controller cannot be interrogated), of a J5 provide a method for implementing 1:1 redundancy 

process controller of a process control system, for a whereby the redundancy of the slave processor and the 

value, during failover the controller is unable to re- backup slave processor is transparent to all software 

spond and the universal station outputs question marks layers above the redundancy software layer, 

on the display to the operator. It is a further object of the present invention to pro- 

The present invention provides a method of 1:1 re- ^ vide a method for implementing 1:1 redundancy 

dundancy for any type of slave processor in a master- whereby no communication outages occur in affecting a 

slave relationship consisting of a master node and a failover between the slave processor and the backup 

group of user definable slave processors for a set of slave processor. 

slave-type processors, in which the redundancy soft- These and other objects of the present invention will 

ware is transparent to all other software layers above 65 become more apparent when taken in conjunction with 

the redundancy software, and in which the failover is the following description and attached drawings, 

essentially simultaneously, there is no period of time in wherein like characters indicate like parts, and which 

which an outage occurs. drawings form a part of the present application. 
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BRIEF DESCRIPTION OF THE DRAWINGS hCrCm M mpUt 0UtpUt a/0) modulcs > 21 ^rfacc to 

BRIEF DESCRIPTION Or THE DRAWINGS fieW dcviccS| ficld dcviccs various vaJvcS( prcs . 

FIG. 1 shows a block diagram of a process control sure switches, pressure gauges, thermocouples, . . . 

system in which the present invention can be utilized; which can be analog inputs (A/I), analog outputs 

FIG. 2 shows a block diagram of a process controller, 5 (A/O), digital inputs (D/T), and digital outputs (D/O). 

including I/O modules (IOP), in which the present The controller A 30 interfaces to each I/O module 21 

invention can be utilized; via a bus A 22, and controller B 40 interfaces to each 

FIG. 3 shows a block diagram of a controller which I/O module 21 via a bus B 23. In addition, once again 

is included in the process controller of FIG. 2; for communication redundancy purposes, controller A 

FIG. 4 shows a block diagram of an I/O module 10 30 is also connected to bus B 23 and controller B 4 is 

which is included in the process controller of FIG. 2; connected to bus A 22. 

and Controller A and controller B, 30, 40, can communi- 
FIG. 5 shows a block diagram of the redundancy cate with each other via three mediums, the UCN 14, a 
scheme of the present invention; and link 13 between the controllers, and the buses A, B, 22, 
FIG. 6 shows a simplified block diagram of the pro- IS 23, with bus A and bus B in the preferred embodiment 
cess controller of FIG. 2. being serial I/O links. One controller (controller A 30 
___ .__ nccpo or controller B 40) operates as a primary controller and 
DETAILED DESCRIPTION the other controller operates as a secondary controller 
Before describing the method of the present inven- (in more of a reserve mode than a back-up, in that if a 
tion, it will be helpful in understanding a system envi- 20 failure of controller A 30 should occur, controller B is 
ronxnent in which the present invention can be utilized. ready to take over the control function with essentially 
Referring to FIG. 1, there is shown a block diagram of no start-up or initialization time). On a predetermined 
a process control system 10 in which the present inven- - time basis, point processing is performed by the control- 
tion can be found. The process control system 10 in- ler designated as the primary controller and communi- 
cludes a plant control network 11, in which a process 25 cates with the I/O modules 21. In addition, the control- 
controller 20 is operatively connected to the plant con- ler acting as the primary controller communicates with 
trol network 11 via a universal control network (UCN) the plant control network 11 reporting status, history, 
14 to a network interface module (NIM) 602. In the and accepting inputs from the plant control network 
preferred embodiment of the process control system 10, such as commands from the operator via the universal 
additional process controllers 20 can be operatively 30 station 122. In addition, a data base maintained by the 
connected to the plant control network 11 via a corre- primary controller is communicated to the secondary 
spending UCN 14 and a corresponding NIM 602. The controller via link 13. As mentioned above, one control- 
process controller 20, interfaces analog input and out- ler operates as a secondary controller; however, it will 
put signals, and digital input and output signals (A/I, be understood by those skilled in the art that a second- 
A/O f D/I, and D/O, respectively) to the process con- 35 ary controller is not necessary for the process controller 
trol system 10 from the variety of field devices (not 20. 

shown) which include valves, pressure switches, pres- Referring to FIG. 3, there is shown a block diagram 

sure gauges, thermocouples, .... of the controller 30, 40. A modem 50 is connected to the 

The plant control network 11 provides the overall UCN 14, the modem having two inputs, one connected 

supervision of a controlled process, in conjunction with 40 to UCN 14A and the other connected UCN 14B. The 

the plant operator, and obtains all the information modem 50 interfaces with a communication unit 

needed to perform the supervisory function, and in- (COMM) 60 which in turn interfaces with a global 

eludes an interface with the operator. The plant control memory 70, an I/O interface unit 80, and a control unit 

network 11 includes a plurality of physical modules, 90 via global bus 72. The communication unit 60 in- 

which include a universal operator station (US) 122, an 45 eludes a communication control unit, in the preferred 

application module (AM) 124, a history module (HM) embodiment a token bus controller (TBQ 61, Motorola 

126, a computer module (CM) 128, and duplicates of type 68824, which is connected to a local bus 62. A 

these modules (and additional types of modules, not processor A 63 (which essentially performs the commu- 

shown) as necessary to perform the required control/- nication function) is connected to the local bus 62, and 

supervisory function of the process being controlled. 50 a local memory A 64, which is also connected to the 

Each of these physical modules is operatively con- local bus 62. The processor A 63 communicates with 

nected to a local control network (LCN) 120 which the plant control network 11 via modem 50 and TBC 

permits each of these modules to communicate with 61. The local memory A 64 stores information, includ- 

each other as necessary. The NIM 602 provides an ing personality image which is downloaded from the 

interface between the LCN 120 and the UCN 14. A 55 plant control network 11, for use by processor A 63 and 

more complete description of the plant control network TBC 61. The global memory 70 stores information 

11, and the physical modules can be had by reference to which is common to both processor A 63 and a proces- 

U.S. Pat No. 4,607,256. sor B 91. It also stores all the data received from bus A 

Referring to FIG. 2 there is shown a block diagram of 22 and bus B 23. The global memory 70 also serves as an 

the process controller 20. The process controller 20 of 60 interprocessor communication vehicle between the pro- 

the preferred embodiment of the process control system cessors A 63 and B 91. Control unit 90 includes the 

10 includes a controller A 30 and a controller B 40, processor B 91 and a local memory B 92, both con* 

which effectively operate as a primary and secondary nected to a local bus 93. Processor B 91 performs the 

controller. Controller A 30 and controller B 40 are control function (i.e., control processing) relating to the 

connected to the UCN 14, the UCN 14 in the preferred 65 field devices. This essentially includes performing the 

embodiment, comprising for communication redun- point processing, and updating the local memory B 92 

dancy purposes, a UCN(A) 14A and a UCN(B) 14B. and global memory 70. Also coupled to the local bus 93 

Input/output processors (IOPs) (sometimes referred to of control unit 90 is a track unit (not shown) which is 
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utilized to implement the data base transfer via link 13 The microcontroller 202 performs the I/O processing 

to the other controller 30, 40 of the process controller (or preprocessing) for the application specific circuits 

20. A more detailed description of the track unit can be 209. The preprocessing will vary from each I/O module 

had by making reference to patent applications: 21 depending on the type Q.e., A/I, A/0, . . . ) the pre- 

(a) patent application Ser. No. 07/299,857, entitled 5 processing essentially consisting of translating the sig- 
"APPARATUS FOR TRACKING PREDE- nals from the application specific circuits to a format 
TERMINED DATA FOR UPDATING A SEC- compatible with the controller 30, 40, and putting the 
ONDARY DATA BASE," by P. Gerhart, filed on signals from controller 30, 40 in a format compatible 
Jan. 23, 1989, now U.S. Pat. No. 4,959,768; and with the I/O module 21. Some of the preprocessing 

(b) patent application Ser. No. 07/299,859, entitled 10 performed includes zero drift, linearization (linearizing 
"METHOD FOR CONTROL DATA BASE thermocouples), hardware correction, compensation 
UPDATING OF A REDUNDANT PROCES- (gain compensation and zero compensation), reference 
SOR IN A PROCESS CONTROL SYSTEM," by junction compensation, calibration correction, conver- 
P. McLaughlin et al, filed on Jan. 23, 1989, now sions, checking for alarms (limits) . . . and generating a 
U.S. Pat No. 4,958,270, 15 signal in a predetermined format having predetermined 

both of the above-identified applications assigned to scale (i.e., engineering units, normalized units, percent 

Honeywell Inc., the assignee of the present application. of scale, . . , ). In the preferred embodiment seven types 

The I/O interface unit 80 includes a receiver-transmit- of applications specific circuits are provided for, these 

ter device, this device being a UART (Universal Asyn- include a high level analog input, low level analog in- 

chronous Receiver/Transmitter) 81. The UART 81 is 20 put, analog output, digital input, digital output, smart 

coupled through drivers 82, 83 to bus A 22 and bus B transmitter interface, and pulse input counter. 

23, respectively. Referring to FIG. 5, there is shown a functional block 

Processor B.91 receives data from the various field diagram of a field terminal assembly (FT A) 251 utilized 

devices through global memory 70, performs the neces-. to implement the redundancy scheme of the present 

sary point processing and control function, and then 25 invention. As described above, the process controller 20 

updates the local memory B 92 and global memory 70, includes controller A 30 and controller B 40 connected 

as required. The communication unit 60, in response to to the I/O link 22, 23. Also connected to the I/O link 

commands from the control unit 90 via global memory 22, 23 are the I/O modules 21 (also referred to herein as 

70, inputs and outputs data between the I/O modules 21 input/output processor IOP). In a redundancy scheme 

(via the I/O interface unit 80) and the global memory 30 of the preferred embodiment of the present invention, 

70, thereby relieving the control unit 90 from the bur- the analog output type I/O module 21 is duplicated, 

den of I/O module management. In this manner the shown in FIG. 5 as AO(A) 21-A and AO(B) 21-B. 

control processing is performed by the control unit 90 (Other I/O modules are connected to the I/O link 22, 

within the process controller 20 for the predefined at- 23 as discussed above, but are not shown here for sim- 

tached field devices, and the communication (i.e., the 35 plicity and in order to focus on the redundancy feature 

I/O control) is handled by the communication unit 60 of the present invention.) Each IOP includes a proces- 

through the UART 81. sor 202-A, 202-B, as described above. IOP AO(A) and 

Referring to FIG. 4 there is shown a block diagram of IOP AO(B) are both connected to a field device (D) 
an I/O module. A transceiver (anti-jabber circuit) 201 250, through a field terminal assembly (FTA) 251, the 
interfaces with bus A 22 and bus B 23. The transceiver 40 field device being a valve, thermocouple, .... Both 
201 interfaces with a microcontroller (u-controller) 202 IOPs, AO(A) 21-A and AO(B) 21-B are performing the 
which, in the preferred embodiment, is of the type, Intel same tasks and outputting the same information (pre- 
80C31. The microcontroller is coupled to a local bus suming no errors in either IOP) to the FTA 251. How- 
203, and includes an EPROM 204 and a RAM 205 also ever, the output from only one IOP is actually coupled 
connected to the local bus 203. The RAM 205 contains 45 to the field device 250, as will now be discussed, 
the information which forms the database for the I/O In the preferred embodiment of the present invention, 
module 21. The EPROM 204 contains the program one IOP is designated the main or primary IOP and the 
information utilized by the microcontroller 202 Also other is designated the backup or redundant IOP. Here, 
attached to local bus 203 is an input buffer which re- IOP AO(A) 21-A is designated the main IOP interf Re- 
ceives the I/O link address information from the I/ O 50 ing with field device 250, and IOP AO(B) 21-B is desig- 
link (bus A, bus B, 22, 23). The output buffer (BUFFER nated the redundant IOP. Both IOPs are outputting the 
OUT) 208 is connected to the local bus 203. The appli- same information from a corresponding current source 
cation specific circuits 209 are also connected to the 211-A, 211-B. The output information is coupled to a 
local bus 203 and interfaces with the input and output common point 252 (a terminal sometimes referred to as 
buffers 206, 208, and the microcontroller 202 via the 55 the customer screw), through a corresponding diode 
local bus 203. The application specific circuits 209 vary 212- A, 212-B. A common point between the current 
from I/O module to I/O module depending on the field source 211-A and diode 212-A of AO(A) 21-A is cou- 
device to which the I/O module is to be coupled If the pled to a first contact point 256 of a relay 253 and a 
field device is of a type which requires a digital input, common point between current source 211-B and diode 
then the application specific circuit 209 will include the 60 212-B of AO(B) 21-B is coupled to a second contact 
logic in order to place the digital input into a predefined point 257 of relay 253. The arm 258 of relay 253 is 
format which will interface with the remainder of the connected to a ground point and is also normally 
I/O module. Likewise, if the field device is such that switched (i.e. no current through the coil 254), to the 
requires an analog input, then the application specific second contact point of the relay 253, such that the 
circuit contains logic which converts the analog input 65 output of the second current source 211-B of AO(B) 
signal (via an A/D converter) into a format again con- 21-B is shorted to ground. In this manner only the out- 
sistent with predefined formats. In this manner, the I/O put information from AO(A) 21-A is coupled to the 
modules are referred to as a specific I/O module type. field device 250. In the event of a failure of AO(A) 
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21-A, the relay 253 switches such that the output from mation and the fact that IOP(B) is the backup to module 

AO(A) 21-A is shorted to ground and the output from 1 (i.e., the module having logical address 1). That infor- 

tbc redundant IOP AO(B) 21-B is immediately coupled mation is transmitted to controller 30 during normal 

to the customer screw 252, and thus to the field device operations of the system 10 and the controller data base 

250. The switching of relay 253 is initiated by activating 5 is updated (reference state 2 of Table 1, assume IOP(B) 

a coil 254 of relay 253. 21-B has been located in file 4, card slot 10). It will be 

One terminal of relay coil 254 is connected to AO(A) . recognized by those skilled in the art the many tech- 

21-A and the other terminal of relay coil 254 is con- niques are available for the m^ nyi inputting of such 

nected to AO(B) 21-B. Normally, the relay is switched . information from an operators input terminal and will 

(no current through coil 254) such that IOP(A) is com- 10 no t be discussed farther herein since it is not necessary 

municating with the field device 250 and IOP(B) is in f or understanding the redundancy scheme of the pres- 

the backup mode (i.c, the IOP(B) output is shorted to ^ invention. The controller 30 then acts to lynchro- 

ground by the relay 253.) When an error is detected by th c IOP(B) 21-B. Synchronizing is the process 

the controller 30, the controller A 30 (or controller B 40 whereby the same data base is contained in both IOP(A) 

if it is functioning as the primary controller) initiates a 15 JIA and IOP(B) 21-B. The information of the data base 

command to the IOPs to switch the relay 253. (The 0 f iOP(A) is requested by the controller 30 and then 

IOPs, IOP(A) and IOP(B) can also affect the switch transferred to IOP(B) 21-B thereby causing the data 

over if they detect an error, as will be described herein- ^ ^ iop(B) 21-B to be the same, whereupon IOP(B) 

under.) IOP A can output a positive current, IOP B can ^ commanded to start executing. IOP(B) performs the 

output a negative current, or both, to cause the relay 20 SMmt operations as IOP(A) and outputs the same infor- 

253 to switch. mation to the FTA 251 at essentially the same time 

The IOP redundancy of the present invention will (each Jop ^ 0^^. off its own it will -be 

now be described. Referring to FIG. 6, there is shown recognized that IOP(B) 21-B is a dedicated backup. The 
a simplified block diagram of the process controller of operation of FTA 251, however, permits the data from 

FIG. 2, having the redundancy of the controller omit- 25 only IOP(A) or IOP(B) to reach ^ ficld device 250, as 

ted, and having an IOP and a backup IOP, only, for described above. Once IOP(B) is synchronized, the 

purposes of example. In the preferred embodiment, up ^^1^ data base is updated as shown in state 3 of 

to forty (40) IOPs can be included, and any mix of IOP TMe , ^ Qorma] operation, & transfers (Le., writes) 

types can be included m a redundant or non-redundant to tflc IQp(A) 2VA from controller 30 are also received 

configuration. As will be recognized by those &kiUedin 30 b IOP(B)< I0P(B) eavesdrops on the communications 

the art from the descnption above, the controller 30 ^ ^ IQp(A) ^ IQp(B) ^ a of 

performs as the master processor the IOP module 21-A l m ^ c lc ^ ^ M communicates to 

as the slave processor, and the IOP module 21-B as the ^ , 0Pr b k ^ ^ 8ynchroni . 

backup (or redundant) slave processor Mtion of IQp(B) u n0 ^ communica- 

For Purposes only, assume that the process 35 tion£ m neccsfiary ^ hcncc no extra communications 

conquer 20 h* 'controller ^30 operating as the primary ^ ^ uiktn, *nd ^ m h n0 0Q the "non-redun- 

controllcr and I/O module 21-A (an analog output u ofsoftware . A]so> ^ ^ abovc dcscrip _ 

module) configured as module 1 in accordance with rcdundancy ^ be achieved while the system 10 is 

confi^iration rules of the process control system. IOP nQ ( ^ rcdun<Un "on-the-fly".) 

A 21-A ts always present (assuming the requirement for 40 ^ j \ * 
an A/O IOP) and IOP B 21-B is optional (and initially 

assumes it is not configured. Thus IOP B is shown in TABLE 1 

dotted lines in FIG. 6.) For example purposes, assume controller 30 data base 

IOP(A) is placed in file address 3 and card address 8. (In state 1 State 2 ' State 3 

the preferred embodiment of the system, the cabinet is 45 initial initial Normal State 4 

divided in files (rows) and card slots.) Thus in this exam- R * dun - R f m ' FaiJ - 

ple the "printed circuit card" of an A/O IOP which is Redundant dam dam ov«_ 

designated as IOP(A) 21-A is inserted in row 3, card ^f^ Ad ^ villi 

slot 8. IOP(A) is given a logical address and assume that 3 3 3 3 

in this example is assigned logical address number 1. 50 x Card (dot 8 8 8ft 

The controller 30 data base includes the data for an IOP within Me) 

connected to BUS-A 22 logical address 1, physical »>«*l Rie^ 0 4 4 4 
address of IOP(A) of file 3, card 8, and is initially non- * 
redundant (See State 1 of Table 1.) The controller 30 Rahmdant (Y» or 
communicates to the slave IOP via the configured logi- 55 No) 
cal address. The process control system 10 is powered Synchromxed (Y» or 
up and initialized along with the process controller 20, JJ?^ 
including controller 30 and IOP(A) 21-A, and running 
normally. IOP(A) 21-A is connected to the "A" points 
of FTA 251. At some later time, the backup slave IOP 60 When an error is detected, it is desired that IOP(A) 
21-B can be added while the system 10 is running. no longer communicate to the field devices 250, and 
IOP(A) 21-A continues to run normally and IOP(B) that IOP(B) pick up communications essentially imme- 
21-B is configured in any spare location in the file (cabi- diately. This switching is referred to as failover. (Fail- 
net, row, . . . ). IOP(B) is connected to the "B" terminals ures can be detected by internal microprocessors failing 
of FTA 251, and in accordance with the configuration 65 self-tests, parity errors, watch-dog times timing out, . . . 
rules of the system, information is outputted (from the . Failures can also be directed by the controller in de- 
universal station US 122 of the plant control network tecting a condition undetected by the primary IOP.) It 
11) relating to the IOP(B) t including the location infor- is desirable that the failover be transparent to the sys- 
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tern, i.e., to all non-redundant layers of software. Con- 
trol lines A (CONTA) 260-A are connected from 
IOP(A) 21-A to switching module 259, and control 
lines B (CONTB) 260-B are connected from !OP(B) 
21-B to switching module 260. The switching module 5 
260 controls the arm 258 of relay 253. The switching 
module 259 includes logic which detects and responds 
to control signals on control lines 260-A, 260-B and 
causes the relay 253 to switch to the <( B" terminals. 
Since IOP(B) is executing the same as IOP(A) had been 10 
before the failure of IOP(A), IOP(B) continues to oper- 
ate and output to the "B" terminal 256, but after the . 
switching of relay 253, the output from IOP(B) is now 
coupled to the field devices 250. The controller 30 is 
assured of polling IOP(A) every 500 ms to ascertain that 15 
the primary is still operational, but also can detect fai- 
lover on the next message intended for the pair. Upon 
detecting that IOP(A) has failed and that the switching 
(i.e., failover) has occurred, the controller data base is 
updated to indicate IOP(B) is primary, as shown in state 20 
4 of Table 1. The controller 30 also awards IOP(B) the 
logical address 1 (in this example) such that when data 
is requested by controller from logical address 1,- • 
IOP(B) 21-B will respond. In the preferred embodiment 
of the system, IOP(A) and IOP(B) do not initiate com- 25 
munications with the controller 30, but respond to re- 
quests for information. Finally, the message upon which 
the controller detected failover is re-issued to the new 
primary (now IOP(B)) so that no messages are lost 
During the failover, all other messages are serially 30 
queued in a FIFO to assure the intended order from the 
controller. 

In normal operation, the controller 30 is issuing read 
requests to logic address 1 (IOP(A) 21-A) based on 
requests from other controllers 30, plant control net- 35 

work 11 These requests are queued up by IOP(A) 

and the controller 30 also keeps track of pending re- 
quests in the requested order. When an acknowledg- 
ment of a request is not received by the controller 30 (in 
the preferred embodiment retries are attempted), the 40 
controller determines from the controller data base that 
there is a backup and is synchronized (state 3 of Table 
1). Read requests are made to IOP(A) using physical 
addresses, and in this scenario, does not respond since 
IOP(A) has failed. A read request is made to IOP(B) 45 
21-B using the physical address, and acknowledges and 
responds to the request. The controller 30 receives 
information from the IOP(B) that it has accomplished 
failover (as a result of the information transmitted and 
received from the control lines B 260-B to the switching 50 
module 259), and also verifies that IOP(B) is synchro- 
nized. The controller 30 then awards IOP(B) 21-B the 
logical address of 1, Le. f acknowledges IOP(B) as the 
primary, (in this example) and updates the controller 
data base (state 4 of Table 1). The redundant infonna- 55 
tion still indicates a Y (yes) in state 4 since this is config- 
uration data. The dynamic data indicates that IOP(B) is 
the primary and that the synchronized information (re- 
lating to the backup IOP, now IOP(A)) indicates "No". 
The read requests which were queued up by IOP(A) 60 
and not yet processed is known to the controller 30. 
The controller 30, then initiates to IOP(B) those read 
requests queued up at the time the failure of IOP(A) was 
detected. Thus, no communications (requests from 
other subsystems of system 10) go unanswered. 65 

In the preferred embodiment of the system 10, the 
above described process takes a very short amount of 
time, approximately 50 ms so the impact to control is 



unaffected. The. control software issues read and writes 
requests normally every 250 ms in the preferred em- 
bodiment. The process just described is the "redundant 
layer** of the software. The control (i-e-» the "non- 
redundant portion of the controller software") does 
nothing different because of the failover or the redun- 
dancy. Thus, the redundancy software is transparent to 
the system 10. Further, although only the A/O type 
IOP is described, it will be understood by those skilled 
in the art that any type IOP can be utilized in the 
method thus described. It will be recognized by those 
skilled in the art, that although only a single slave IOP 
and a corresponding slave IOP have been discussed, the 
relay 253 of FTA 251 can include a multiple set of 
contact points 256,257 operating from a single coil 254 
(or switching module 259), thereby permitting each 
slave IOP to communicate with a plurality of devices 
250 which also provides the backup capability to the 
plurality of devices. 

While there has been shown what is considered the 
preferred embodiment of the present invention, it will 
be manifest that many changes and modifications can be 
made therein without departing from the essential spirit 
and scope of the invention. It is intended, therefore, in 
the annexed claims, to cover all such changes and modi- 
fications which fall within the true scope of the inven- 
tion. 

We claim: 

1. In a control system, having a control network for 
controlling a process, said control network interfacing 
with a controller, the controller having a slave input- 
/output processor (IOP) connected thereto for commu- 
nication with at least one device of a predetermined 
type, the predetermined types including analog input, 
analog output, digital input, and digital output, the slave 
IOP executing a predetermined task and having a data 
base associated therewith, said controller also having a 
backup slave IOP connected thereto of the same type as 
the slave IOP, the slave IOP being operatively con- 
nected to said device and operating as a primary IOP to 
said device, a method for providing backup to the slave 
IOP by the backup slave IOP comprising the steps of: 

a) loading the backup slave IOP with the same data 
base and the same predetermined task as the slave 
IOP; 

b) causing the backup slave IOP to execute essentially 
in parallel to the slave IOP; 

c) eavesdropping to all communications from the 
controller to the slave IOP by the backup slave 
IOP, such that: 

i) when a write command is communicated to the 
slave IOP, updating the backup slave IOP data 
base by the backup slave processor; otherwise 

ii) ignoring the communication to the slave IOP; 

d) ignoring communications from the slave IOP to 
the controller by the backup slave IOP, the updat- 
ing of the backup slave IOP data base being per- 
formed by the backup slave IOP as a result of the 
execution of the same predetermined task on the 
same data base by the backup slave IOP, thereby 
maintaining the data base of the backup slave IOP 
the same as the data base of the slave IOP; 

e) upon detecting a fault by either of said slave IOP or 
said backup slave IOP, communicating the detec- 
tion of said fault to the other IOP; 

f) failing over by said IOPs whereby said backup 
slave IOP is operatively connected to said device 
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and said slave IOP is opcratively disconnected 
from the device; and 
g) acknowledging by the controller that the backup 
slave IOP is now operating as a primary source to 
the device, wherein the failing over from the pri- $ 
mary IOP to the backup slave IOP occurs without 
any loss of communication within the control sys- 
tem. 

2. A method for providing backup to the slave IOP 
according to claim 1 wherein the step of failing over is 
transparent to the control system. 

3. A method for providing backup to the slave IOP 
according to claim 1 wherein the step of loading the 
backup slave IOP is performed while the system is run- 15 
ning. 

4. A method for providing backup to the slave IOP 
according to claim 3 wherein the backup slave IOP is a 
dedicated backup to the slave IOP thereby providing a 
1:1 backup. 20 

5. A method for providing backup to the slave IOP 
according to claim 1 wherein the backup slave IOP is 
executing the same program oh the same data essen- 
tially simultaneously with the slave IOP. 

6. In a control system, having a control network for 23 
controlling a process, said control network interfacing 
with at least one controller, each controller having at 
least one slave input/output processor (IOP) connected 
thereto for communicating with at least one device of a 
predetermined type, the predetermined types including 30 
analog input, analog output, digital input, and digital 
output, each slave IOP executing a predetermined task 
and having a data base associated therewith, each con- 
troller also having at least one backup slave IOP con- 
nected thereto of the same type as the corresponding 
slave IOP, each backup slave IOP being dedicated to a 
predetermined corresponding slave IOP, each slave 
IOP operating as a primary IOP, a method for provid- 
ing backup to each slave IOP by the corresponding ^ 
backup slave IOP comprising the steps of: 

a) loading each backup slave IOP with the same data 
base and the same predetermined task as the corre- 
sponding slave IOP; 

b) causing the backup slave IOP to execute essentially 45 
in parallel to the corresponding slave IOP; 

c) eavesdropping to all communications from the 
controller to the slave IOP by the corresponding 
backup slave IOP, such that: 

i) when a write command is communicated to the 50 
slave IOP, updating the corresponding backup 



35 



slave IOP data base by the corresponding 
backup slave processor; otherwise 
ii) ignoring the communication to the slave IOP; 

d) ignoring communications from the slave IOP to 
the controller by the corresponding backup slave 
IOP, the updating of the corresponding backup 
slave IOP data base being performed by the corre- 
sponding backup slave IOP as a result of the execu- 
tion of the same predetermined task on the same 
data base by the corresponding backup slave IOP, 
thereby maintaining the data base of the backup 
slave IOP the same as the data base of the corre- 
sponding slave IOP; 

e) upon detecting a fault by either of said slave IOP or 
said corresponding backup slave IOP, communi- 
cating the detection of said fault to the other IOP; 

f) failing over by said IOPs whereby said correspond- 
ing backup slave IOP is opcratively connected to 
said device and said slave IOP is opcratively dis- 
connected from the device, and 

g) acknowledging by the controller that the corre- 
sponding backup slave IOP is now operating as a 
primary source to the device, wherein the failing 
oyer from the primary IOP to the corresponding 
backup slave IOP occurs without any loss of com- 
munication to the control system. 

7. A method for providing backup to the slave IOP 
according to claim 6 wherein the step of failing over is 
transparent to the control system. 

8. A method for providing backup to the slave IOP 
according to claim 7 wherein the step of loading the 
backup slave IOP is performed while the system is run- 
ning. 

9. A method for providing backup to the slave IOP 
according to claim 6 wherein a first predetermined 
number of slave IOPs, each being of a predetermined 
type are operatively connected to the controller, and 
wherein a second predetermined number of backup 
slave IOPs are also operatively connected to said con- 
troller, such that for each slave IOP desirous of having 
a backup has a corresponding backup slave IOP of the 
same type. 

10. A method for providing backup to the slave IOP 
according to claim 6 wherein each backup slave IOP is 
executing the same program on the same data essen- 
tially simultaneously with the corresponding slave IOP 
thereby providing a 1: 1 redundancy scheme and permit- 
ting failover to occur transparent to the control system 
and without any loss of communications within the 
control system. 
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